In the first formal written opinion interpreting CCPA compliance obligations, California Attorney General Rob Bonta concludes that the CCPA grants consumers the right to know and access internally generated inferences that businesses generate about them, but that the CCPA does not require businesses to disclose trade secrets.
The 15-page opinion, issued on March 10, responds to a question posed by Sacramento area Assemblyman Kevin Kiley (R): “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”
OAG’s response, in a nutshell, is “yes.” Giving consumers access to inferences is important, according to OAG, because “inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.” OAG further notes that nothing in the Consumer Privacy Rights Act (CPRA) changes its analysis. The opinion also suggests that the OAG will refer to the CCPA’s broad purposes, such as giving “consumers greater control over the privacy of their personal information,” to support its interpretations.
Summary of OAG’s Legal Analysis
OAG’s analysis begins by noting that the CCPA includes a broad set of inferences – the “derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data” – in the statutory definition of “personal information.” Specifically, “personal information” includes “inferences drawn from any of the information identified in [the definition of personal information] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” .”
Focusing on this definition, the OAG opinion defines a two-part test to determine whether inferences must be disclosed in response to a consumer access request.
1. First, inferences must be drawn from “information identified in” the definition of “personal information,” Civil Code section 1798.140(o).
The information may be obtained directly from consumers (such as address and income), found in public repositories, bought from a data broker, or inferred through an algorithm. The inference does not have to be made by the business itself. It may be generated internally or received from another source.
The opinion shows little deference to the exemption for public records when it comes to inferences. The opinion asserts that “information in public repositories” is personal information but acknowledges (in a footnote) that information in public records is not. The opinion sweeps this tension aside by concluding that “once a business has made an inference about a consumer, the inference becomes personal information—one more item in the bundle of information that can be bought, sold, traded, and exploited beyond the consumer’s power of control.”
The bottom line is that even if the underlying information is exempt from disclosure because it is publicly available information from government records, an inference based on the information must be disclosed to the consumer, as the inference itself is not available in government records.
2. Second, the inference must be used to create a profile about a consumer, such as by identifying or predicting the consumer’s characteristics. To illustrate an inference that does not give rise to a profile, OAG gives a trivial example: inferences derived when a business combines information “obtained from a consumer with online postal information to obtain a nine-digit zip code.” It is unclear how this is an inference at all, as opposed to a look-up of existing information.
On the other hand, an inference that is used for predicting, targeting, or affecting consumer behavior must be disclosed in an access request.
OAG anticipates and refutes two potential arguments that inferences would not have to be disclosed.
- First, CCPA states that personal information must be disclosed that is collected “about” a consumer, not necessarily collected “from” a consumer. This means that businesses must broadly disclose to consumers inferences they make about the consumer, regardless of the source of the information. Although not addressed in the opinion, this differs from the right to delete, which only applies to information collected “from” a consumer.
- Second, OAG argues that while businesses are not required to disclose trade secrets, individual inferences are not trade secrets. OAG agrees that companies are not required to disclose the inputs or algorithms that form the inferences, but expects companies to produce inferences in response to access requests.
The opinion makes clear that the upcoming California Privacy Rights Act does not change the OAG’s conclusions, and that these issues were not otherwise addressed in the CCPA regulations.
Here are some other takeaways from the OAG opinion:
- OAG acknowledges that CCPA does not require businesses to disclose their trade secrets. The opinion finds that the “most relevant” exception in the CCPA to support this conclusion is that “the obligations imposed on businesses by this title shall not restrict a business’ ability to … comply with federal, state, or local laws.”
OAG cautions, however, that businesses must explain the basis of their denial of an access request with respect to trade secrets. “A blanket assertion of ‘trade secret’ or ‘proprietary information’ or the like would not suffice; the general import of the regulations is that a business must respond to requests in a meaningful and understandable way.”
- Along the same lines, the opinion makes it clear that OAG recognizes key statutory exceptions, such as the exception allowing businesses to comply with applicable law or exercise or defend legal claims. OAG labels these exceptions as “carve-out” provisions “designed to relieve businesses from undue burdens and common legal binds.”
- For those interested in how OAG interprets CCPA, OAG commits to interpret the law by “examining the text, giving the language its usual meaning in order to understand the intent of legislators. The words of a statute must be construed in context and section relating to the same subject must be harmonized to the extent possible.”
- Finally, the opinion spends considerable time reviewing the history and purpose of CCPA, citing to the Cambridge Analytica data breaches, EU passage of GDPR, and legislative history addressing “exploitative tendencies of collecting masses of information and using it to identify and affect unwitting consumers.” This background provides insight into the perceived harms OAG seeks to safeguard through enforcement of CCPA.
Businesses that develop inferences about consumers should take a close look at the OAG’s opinion to determine whether to adjust their procedures for responding to CCPA access requests.
Thursday, March 24, 2022 at 4:00pm ET/ 1:00pm PT
Privacy Priorities for 2022: Tracking State Law Developments